Connect with us

Malware

Exposed Secrets: Unmasking Data Breaches, Stolen Credentials & Illicit Dark Web Bazaars

Published

on

Person typing on a keyboard

Infostealer malware is a significant and often underestimated threat to corporate information security teams. These malicious programs infect computers, steal credentials saved in browsers, along with active session cookies and other data, and send it back to the attacker’s command and control infrastructure. In some cases, the malware even self-terminates after completing its mission.

In this article, we’ll discuss how cybercriminals use stolen credentials to gain unauthorized access to privileged IT infrastructure, leading to data breaches and ransomware attacks. But infostealers aren’t the only threat; leaked credentials from more traditional sources continue to pose substantial risks to organizations.

It’s no secret that people often reuse the same password across multiple applications, creating a perfect opportunity for hackers to brute force their way into software-as-a-service (SaaS) and on-premises applications.

At IT Services, we currently monitor over forty million stealer logs. This number is growing by millions every month, with an expected increase in 2024. Additionally, we monitor over 14 billion leaked credentials found in data dumps across the dark web.

This unique perspective allows us to see firsthand how threat actors acquire, distribute, and use leaked credentials.

Understanding Leaked Credentials

To better comprehend leaked credentials, we can categorize them into tiers based on the method of leakage and the risk they pose to organizations. This approach, pioneered by Jason Haddix, helps security professionals clearly communicate credential leak risks to managers and corporate executives.

Tier 1 Leaked Credentials

Tier 1 leaked credentials result from third-party application or service breaches. When these breaches occur, all users of the affected service have their passwords compromised and distributed in a data dump on the dark web. This is the most common type of leaked credential.

For example, imagine a fictional corporation called Scatterholt with user logins for hundreds of thousands of consumers. If attackers breach Scatterholt and access the identity and access management system, they could steal these credentials and leak them onto the dark web.

Scatterholt could force a password reset for all users, but it’s likely that many users have reused the same password across other services. This leak gives threat actors the opportunity to use brute force techniques to gain access to other applications that share the same password.

Defending Against Tier 1 Leaked Credentials

Organizations can employ several well-researched defenses to reduce risk. First and foremost: monitor a leaked credentials database for corporate employee emails. This single action can make a massive difference as threat actors deliberately target passwords associated with corporate email addresses to facilitate data breaches.

Secondly, require users to routinely reset passwords on a schedule, ensuring that if a specific password is breached, they will have already rotated other corporate credentials.

Finally, we recommend using a password manager with a policy requiring employees to randomize passwords for various applications and store them securely, reducing the risk of employees making only minor changes to passwords.

The Special Case of Combolists

Combolists are collections of credential pairs, organized by service or geographically, used by cybercriminals in combination with brute force tools to attempt to gain access to various services.

Screenshot of combolist
Screenshot of combolist
Source: IT Services

These credentials often come from previous known breaches, stealer logs, or are entirely fabricated. The exact source is never entirely clear, but the sheer volume of credentials available through combolists, combined with frequent password reuse, makes them a significant attack vector.

Tier 2 Leaked Credentials

Tier 2 leaked credentials pose a unique risk to companies. These credentials are harvested directly from users through infostealer malware that steals all passwords saved in the browser.

We consider tier 2 leaked credentials to be of significantly increased risk to both the company and the user for the following reasons:

  • A single stealer log will contain all of the credentials the user saved in their browser. This creates a perfect opportunity for threat actors to socially engineer the victim, the IT help desk, or even the company using the victim’s information.
  • These logs contain the plain text username, password, and host for the credentials, often for hundreds of different logins. Threat actors have an enormous advantage when they can see dozens of password variations that the user uses.
  • These logs often contain form-fill data with answers to secret questions, which can be effectively used to bypass websites with secret questions.

Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information
Source: IT Services

Tier 3 Leaked Credentials

This tier of leaks, also from stealer logs, poses an extreme risk to organizations. Fresh stealer logs often contain active session cookies, which threat actors can easily use for session hijacking attacks. In these attacks, they impersonate the victim and potentially bypass two-factor authentication (2FA) and multi-factor authentication (MFA) controls.

Discovering a fresh stealer log with corporate credentials should immediately prompt an incident investigation, as it’s highly likely that the passwords are working and that threat actors could directly access corporate resources.

Screenshot from Telegram of a malware store
Screenshot from Telegram of a malware store
Source: IT Services

Defending Against Tier 3 Leaked Credentials

Limit the time-to-live (TTL) for corporate applications to reduce the risk of session cookies remaining valid if distributed as a result of an infostealer infection.

Multi-Factor Authentication Isn’t a Silver Bullet

Not monitoring leaked credentials likely means that many of your employees use single-factor authentication, as their passwords may have been exposed. Many people believe that enabling 2FA is sufficient protection against stolen credentials, but the reality is that threat actors are aware of the obstacle 2FA presents and have developed techniques to overcome it.

Whether through social engineering of employees, using 2FA bots to capture one-time codes/passwords from victims, or even SIM-swapping, there are many ways to bypass MFA controls that are actively used in the wild.

The best defense against these types of attacks involves using authenticator apps, which feature temporary rotating codes instead of one-time passwords received via email or SMS. These applications are usually more secure and ensure that the user controls a second device to some extent.

Concerned about Credentials? We Can Help

IT Services monitors more than 14 billion leaked credentials distributed on the dark web and hundreds of millions leaked through infostealer malware.

Our platform sets up in 30 minutes and provides robust detection for leaked employee credentials across hundreds of forums, channels, and marketplaces.

Check out our free trial.

Sponsored and written by IT Services.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Malware

UnitedHealth Reveals Massive Data Breach: 100 Million Records Stolen from Change Healthcare

Discover how UnitedHealth Group suffered a data breach at Change Healthcare, impacting over 100 million individuals. Learn about the unauthorized access and possible consequences for those affected in this major healthcare cyberattack.

Published

on

It’s official: over 100 million people had their personal information and healthcare data stolen in the Change Healthcare ransomware attack, making it the largest healthcare data breach in recent years. UnitedHealth, the parent company of Change Healthcare, has finally confirmed this staggering number.

Just imagine that: “maybe a third” of all Americans’ health data was exposed in this attack, as UnitedHealth CEO Andrew Witty warned during a congressional hearing in May. This is a massive breach that has affected a “substantial proportion of people in America.”

So, what exactly was stolen during this ransomware attack? According to data breach notifications sent by Change Healthcare, the sensitive information includes health insurance details, medical history, billing and payment info, and other personal data like Social Security numbers and driver’s license numbers. Not everyone’s complete medical history was exposed, but still, the sheer scale of this breach is alarming.

How did the Change Healthcare ransomware attack happen?

In February, the UnitedHealth subsidiary Change Healthcare fell victim to a ransomware attack that led to widespread outages in the U.S. healthcare system. The culprits? The BlackCat ransomware gang, aka ALPHV, who used stolen credentials to breach the company’s Citrix remote access service, which did not have multi-factor authentication enabled.

During the attack, the criminals stole a whopping 6 TB of data and encrypted computers on the network. This caused the company to shut down IT systems to prevent further damage. In the aftermath, doctors and pharmacies were unable to file claims, and patients were forced to pay full price for medications because pharmacies couldn’t accept discount prescription cards.

UnitedHealth Group ended up paying a ransom demand of allegedly $22 million to receive a decryptor and ensure the stolen data would be deleted. However, the ransomware gang pulled a fast one: they suddenly shut down and stole the entire payment for themselves, leaving Change Healthcare’s data in the hands of a rogue affiliate.

As if that wasn’t enough, the affiliate partnered with a new ransomware operation named RansomHub and began leaking some of the stolen data, demanding an additional payment for the data not to be released. It’s unclear whether United Health paid a second ransom demand, as the entry for Change Healthcare on RansomHub’s data leak site disappeared a few days later.

The financial toll of this attack has been enormous. UnitedHealth reported in April that the ransomware attack caused $872 million in losses, which increased to an expected $2.45 billion for the nine months to September 30, 2024, as part of their Q3 2024 earnings.

What can we learn from this massive breach?

This incident highlights the importance of strong cybersecurity measures, especially in the healthcare industry. We must prioritize the protection of sensitive data and invest in robust security systems to prevent future attacks. It’s time for all of us to take cybersecurity seriously.

Stay informed and keep coming back to learn more about the latest cybersecurity news, threats, and best practices. Together, we can work towards a safer digital landscape. If you have any questions or concerns about your organization’s security, don’t hesitate to reach out to us. We’re here to help.

Continue Reading

Malware

Henry Schein’s Wake-Up Call: Uncovering the Data Breach One Year Later



Can you imagine discovering that your personal information was exposed in a data breach one whole year after the fact? That’s exactly what happened to thousands of customers of Henry Schein, a leading provider of medical and dental supplies. This isn’t just an unfortunate incident; it’s a sobering reminder of the importance of cybersecurity in today’s digital age. And it’s a wake-up call for businesses of all sizes to step up their security game.




A Shocking Discovery: The Ransomware Attack That Rocked Henry Schein



Picture yourself walking into your office on a typical Monday morning. You grab a cup of coffee, sit down at your desk, and power up your computer. Suddenly, you’re greeted by a chilling message: “Your files have been encrypted. Pay up or lose everything.”



That’s what happened to Henry Schein in February 2020 when they fell victim to a ransomware attack. The company was forced to shut down its systems to contain the damage. While they managed to recover from the attack, the incident left a lasting impression. But the real shocker came one year later when the company discovered that sensitive customer data had also been compromised during the attack.



Playing Catch-Up: The Long-Term Impact of a Data Breach



A data breach can have far-reaching consequences for both consumers and businesses. For consumers, the risks are clear: identity theft, financial fraud, and a host of other potential problems. But businesses like Henry Schein also face serious fallout from a data breach. The financial burden of incident response, customer notifications, and potential lawsuits can be staggering. And then there’s the damage to a company’s reputation, which can take years to repair.



According to a 2020 IBM study, the average cost of a data breach in the United States is $8.64 million. That’s a hefty price tag for any business to bear.




Learning from Henry Schein’s Mistake: The Importance of Proactive Cybersecurity



It’s easy to look at the Henry Schein incident and think, “That couldn’t happen to me.” But, as a cybersecurity expert, I can tell you that no business is immune to cyber threats. In fact, 43% of cyberattacks are aimed at small businesses, and 60% of those targeted go out of business within six months.



The key takeaway from the Henry Schein debacle is the importance of proactive cybersecurity. It’s not enough to react to threats as they arise; businesses need to be constantly monitoring and updating their security practices to stay ahead of the game.




Don’t Be a Victim: Take Action to Protect Your Business Today


It’s time to take a stand against cyber threats. Whether you’re a small business owner or part of a major corporation, investing in cybersecurity measures is essential to protect your company’s sensitive data and maintain customer trust.



Get started by conducting a thorough security audit of your systems and processes. Identify potential weaknesses and work to address them. Regularly update software and hardware to ensure your systems are up-to-date. Provide comprehensive cybersecurity training for your employees to help prevent human error and promote a culture of security awareness.



And most importantly, don’t hesitate to seek professional help when needed. As your cybersecurity partner, we can help you navigate the complex world of digital security and ensure your business is protected against ever-evolving threats.



Don’t wait for a wake-up call like Henry Schein’s. Take action to protect your business today. Contact us to learn more about our comprehensive cybersecurity solutions and keep coming back for the latest information on how to stay secure in an increasingly connected world.

Why Cybersecurity Matters: A Personal Perspective

Imagine this: you’re planning a surprise birthday party for your best friend. You’ve spent weeks organizing the event, and the big day is almost here. The last thing you need is someone spoiling the surprise, right? Now, imagine if that someone was a hacker who got their hands on your personal information and ruined everything. That’s what can happen when you don’t take cybersecurity seriously. And that’s just a small-scale example.

The Growing Impact of Cybercrime

Let me give you some staggering statistics: In 2020, cybercrime damages amounted to $6 trillion globally. By 2025, that number is expected to rise to $10.5 trillion. That’s a lot of money! But it’s not just about the financial impact. Cybercrime can lead to identity theft, ruined reputations, and even physical harm. So, how can you protect yourself and your loved ones from this growing threat?

Understanding the Basics of Cybersecurity

Think of cybersecurity as a shield that protects your digital life. It’s like locking your doors and windows at night to keep intruders out. There are several ways to improve your cybersecurity, and it all starts with understanding the basics:

  • Passwords: Use strong, unique passwords for each account and change them regularly. A good rule of thumb is to create passwords with at least 12 characters, including uppercase and lowercase letters, numbers, and symbols.
  • Software Updates: Keep your devices and software up-to-date. Hackers often exploit vulnerabilities in outdated software, so make sure you’re always using the latest versions.
  • Phishing Scams: Be cautious when opening emails or clicking on links from unknown sources. Phishing scams often use deceptive messages to trick you into revealing sensitive information.

Empower Yourself Through Knowledge

Knowledge is power, and in the world of cybersecurity, it’s your best defense against cybercriminals. Stay informed about the latest threats, learn about new technologies, and be proactive in safeguarding your digital life. Remember, cybersecurity isn’t a one-time task – it’s an ongoing process that requires your constant attention.

Take Action Today

Now that you have a better understanding of why cybersecurity matters, I encourage you to take action. Start by implementing the basic security measures I mentioned earlier, and then continue to educate yourself and stay informed. If you’re looking for more resources and guidance, reach out to us. We’re here to help you navigate the complex world of cybersecurity and protect your digital life.

So, don’t wait until your surprise party is ruined. Take action now and ensure that your digital life remains secure and private.

Published

on

Exterior view of a brick office building with the sign "Henry Schein Inc." on the wall, surrounded by trees and shrubs, showcasing a firm committed to robust cybersecurity measures in light of recent data breaches.

Imagine this: you’re a hugely successful healthcare solutions provider, with operations in 32 countries and a revenue of over $12 billion in 2022. You’ve earned your place as a Fortune 500 company. But then, out of nowhere, you’re hit by not one, but two cyberattacks in a row. Sounds like a nightmare, right? Well, that’s precisely what happened to Henry Schein in 2023.

The Double Whammy of Cyberattacks

On October 15, 2023, Henry Schein was forced to take some systems offline due to a cyberattack that impacted their manufacturing and distribution operations. The culprits? The notorious BlackCat Ransomware gang, who claimed responsibility and boasted about stealing 35 TB of sensitive files.

But the trouble didn’t end there. On November 22, the company disclosed that they were hit by the same gang yet again. This time, the ransomware gang encrypted Henry Schein’s network after negotiations failed and even threatened a third attack if a ransom was not paid.

While it’s unclear if the attackers followed through with their threats, they did release some of the stolen data on their leak site.

The Aftermath: Over 160,000 People Affected

Fast forward to over a year later, and Henry Schein has finally confirmed the extent of the damage. In a data breach notification to the Maine Attorney General, the company revealed that the ransomware gang managed to steal the personal data of 166,432 people during these attacks.

It took a considerable amount of time and resources to review the affected files and identify the information that was obtained by the unauthorized third party. The investigation determined that personal information, along with other sensitive data, was impacted during the incident.

We reached out to Henry Schein to ask about the type of data stolen but did not receive a response. However, the company is now offering impacted users a free 24-month membership to Experian’s IdentityWorksSM to help monitor their credit history and detect signs of fraud.

What Can You Learn from This?

As a US reader, you might be thinking, “Why should I care about a healthcare solutions provider halfway across the world?” Well, the truth is, cyberattacks can happen to anyone, anywhere. And as we’ve seen with Henry Schein, even the biggest and most successful companies aren’t immune.

So, what can you do to protect yourself and your business? The best way is to stay informed and be proactive about your cybersecurity practices. That’s where we come in. Our IT Services team is dedicated to helping you stay ahead of the curve and ensure that you’re well-equipped to handle any cyber threats that come your way.

Don’t wait until it’s too late. Contact us today to learn more about our cybersecurity services and how we can help you safeguard your valuable data. And remember, keep coming back to stay informed and up-to-date on the latest cybersecurity news and trends.

Continue Reading

Malware

Landmark Insurance Admin Reveals Massive Data Breach Affecting 800,000 Individuals: Urgent Action Required

Insurance administrator Landmark White has reported a data breach impacting 800,000 people. The breach exposed personal information such as names, addresses, and contact details. Landmark White is working with authorities to investigate the incident and has made efforts to secure the data and limit any potential damage.

Published

on

A Wake-Up Call from a Massive Data Breach

Imagine the shock and fear when you learn that your personal information has been compromised in a cyberattack. For over 800,000 people, this nightmare became a reality when insurance administrative services company Landmark Admin fell victim to a data breach in May.

Who is Landmark Admin and Why Does it Matter?

Landmark Admin is a third-party administrator for insurance companies, providing essential back-office services like new business processing and claims administration for major insurance carriers. Some of these carriers include American Monumental Life Insurance Company, Pellerin Life Insurance Company, American Benefit Life Insurance Company, Liberty Bankers Life Insurance Company, Continental Mutual Insurance Company, and Capitol Life Insurance Company.

What Happened During the Cyberattack?

According to a filing with the Main Attorney General’s office, Landmark detected suspicious activity on May 13th, prompting the company to shut down its IT systems and remote access to its network to prevent the spread of the attack. They then enlisted the help of a third-party cybersecurity company to address the incident and investigate whether any data was stolen.

What Did the Investigation Discover?

During the investigation, Landmark found evidence that the attacker accessed files containing the personal information of 806,519 people. The affected individuals’ data included first and last names, addresses, Social Security numbers, tax identification numbers, driver’s license numbers, passport numbers, financial account numbers, medical information, dates of birth, health insurance policy numbers, and life and annuity policy information.

Landmark is notifying affected individuals by mail and will continue to update them as the investigation progresses. However, at this time, no threat actors have claimed responsibility for the attack, leaving the true nature of the incident—whether ransomware or data theft—unknown.

What Should Impacted Individuals Do Now?

Due to the sensitive nature of the stolen data, it’s crucial for impacted people to keep a close eye on their credit reports and bank accounts for any suspicious activity. The breach serves as a stark reminder of the importance of cybersecurity and the need to protect our personal information.

Don’t Wait Until It’s Too Late

Don’t let this story become your reality. Be proactive in safeguarding your personal and business data by contacting us to learn more about how we can help you stay one step ahead of cyber threats. By working together, we can ensure that your information remains secure and out of the wrong hands.

Continue Reading
Advertisement
Malware1 day ago

UnitedHealth Reveals Massive Data Breach: 100 Million Records Stolen from Change Healthcare

Exterior view of a brick office building with the sign "Henry Schein Inc." on the wall, surrounded by trees and shrubs, showcasing a firm committed to robust cybersecurity measures in light of recent data breaches.
Malware2 days ago

Henry Schein’s Wake-Up Call: Uncovering the Data Breach One Year Later



Can you imagine discovering that your personal information was exposed in a data breach one whole year after the fact? That’s exactly what happened to thousands of customers of Henry Schein, a leading provider of medical and dental supplies. This isn’t just an unfortunate incident; it’s a sobering reminder of the importance of cybersecurity in today’s digital age. And it’s a wake-up call for businesses of all sizes to step up their security game.




A Shocking Discovery: The Ransomware Attack That Rocked Henry Schein



Picture yourself walking into your office on a typical Monday morning. You grab a cup of coffee, sit down at your desk, and power up your computer. Suddenly, you’re greeted by a chilling message: “Your files have been encrypted. Pay up or lose everything.”



That’s what happened to Henry Schein in February 2020 when they fell victim to a ransomware attack. The company was forced to shut down its systems to contain the damage. While they managed to recover from the attack, the incident left a lasting impression. But the real shocker came one year later when the company discovered that sensitive customer data had also been compromised during the attack.



Playing Catch-Up: The Long-Term Impact of a Data Breach



A data breach can have far-reaching consequences for both consumers and businesses. For consumers, the risks are clear: identity theft, financial fraud, and a host of other potential problems. But businesses like Henry Schein also face serious fallout from a data breach. The financial burden of incident response, customer notifications, and potential lawsuits can be staggering. And then there’s the damage to a company’s reputation, which can take years to repair.



According to a 2020 IBM study, the average cost of a data breach in the United States is $8.64 million. That’s a hefty price tag for any business to bear.




Learning from Henry Schein’s Mistake: The Importance of Proactive Cybersecurity



It’s easy to look at the Henry Schein incident and think, “That couldn’t happen to me.” But, as a cybersecurity expert, I can tell you that no business is immune to cyber threats. In fact, 43% of cyberattacks are aimed at small businesses, and 60% of those targeted go out of business within six months.



The key takeaway from the Henry Schein debacle is the importance of proactive cybersecurity. It’s not enough to react to threats as they arise; businesses need to be constantly monitoring and updating their security practices to stay ahead of the game.




Don’t Be a Victim: Take Action to Protect Your Business Today


It’s time to take a stand against cyber threats. Whether you’re a small business owner or part of a major corporation, investing in cybersecurity measures is essential to protect your company’s sensitive data and maintain customer trust.



Get started by conducting a thorough security audit of your systems and processes. Identify potential weaknesses and work to address them. Regularly update software and hardware to ensure your systems are up-to-date. Provide comprehensive cybersecurity training for your employees to help prevent human error and promote a culture of security awareness.



And most importantly, don’t hesitate to seek professional help when needed. As your cybersecurity partner, we can help you navigate the complex world of digital security and ensure your business is protected against ever-evolving threats.



Don’t wait for a wake-up call like Henry Schein’s. Take action to protect your business today. Contact us to learn more about our comprehensive cybersecurity solutions and keep coming back for the latest information on how to stay secure in an increasingly connected world.

Malware3 days ago

Landmark Insurance Admin Reveals Massive Data Breach Affecting 800,000 Individuals: Urgent Action Required

Trending

Copyright © 2023 IT Services Network.